[keycloak-user] Mapping SAML attributes from ADFS

Rens Verhage Rens.Verhage at topicus.nl
Mon Jun 4 06:23:43 EDT 2018 

Thanks Tony! This helped a lot.

After mapping the attributes like this everything works fine:

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname -> lastName
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname -> firstName
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress -> email


Rens

On 4 Jun 2018, at 11:58, Tony Harris <Tony.Harris at oneadvanced.com<mailto:Tony.Harris at oneadvanced.com>> wrote:

This might help get you started.  This maps the surname claim in SAML to the LastName attribute in Keycloak.

The SAML names here should give you the name of the others.  https://www.ibm.com/support/knowledgecenter/en/SSCT62/com.ibm.iamservice.doc/concepts/saml_assertion_credential_token_mapping_adfs_azure.html

<image001.png>

-----Original Message-----
From: keycloak-user-bounces at lists.jboss.org<mailto:keycloak-user-bounces at lists.jboss.org> [mailto:keycloak-user-bounces at lists.jboss.org] On Behalf Of Rens Verhage
Sent: 04 June 2018 10:28
To: keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
Subject: [keycloak-user] Mapping SAML attributes from ADFS

Hi all,

I’m having some trouble importing users from ADFS. On first time login, Keycloak displays the user registration form with only the username pre-filled, first name, last name and e-mail address are empty. According to the ADFS administrator, these attributes are being sent in the SAML response.

Do I have to explicitly map these attributes?

How can I log the SAML response in plain text? All SAML assertions are encrypted, how can I log / debug the mapping of user attributes?


Rens


_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user

________________________________

Please consider the environment: Think before you print!



This message has been scanned for malware by Websense.  www.websense.com<http://www.websense.com/>

More information about the keycloak-user mailing list